System and method for identifying users in a distributed network

ABSTRACT

A communications network includes several computers connected to a communications medium. In one embodiment, a client computer has a unique identification number that is embedded within a processor. The client computer includes a client module which generates a message that includes the identification number and sends the message over the communications medium. Another computer receives the message and retrieves the identification number from the message. In addition, the computer processes the identification number and updates an identification database. The processing of the identification number and the updating of the identification database is triggered when the message is received.

BACKGROUND OF THE INVENTION

[0001] 1. Field of the Invention

[0002] The invention generally relates to computer networks. Moreparticularly, the invention relates to a system and method foridentifying users in a distributed network.

[0003] 2. Background

[0004] An example of a basic computer network includes two computersthat are interconnected. A more sophisticated computer network includesa multiplicity of computers that form a distributed computer networksuch as the Internet.

[0005] The Internet is a global network of computers. The structure ofthe Internet is a network backbone with networks branching from thebackbone. These branches, in turn, have networks branching from them,and so on. Routers move information packets from network to network,until the information packets reach their destination. For a moredetailed description of the structure and operation of the Internet,please refer to “The Internet Complete Reference,” by Harley Hahn andRick Stout, published by McGraw-Hill, 1994.

[0006] One popular part of the Internet is the World Wide Web. The WorldWide Web contains computers that display graphical and textualinformation. Computers that provide information on the World Wide Webare typically called “websites.” A website is defined by an Internetaddress that has an associated electronic page, often called a “homepage.” Generally, a home page is an electronic document that organizesthe presentation of text, graphical images, audio and video into adesired display. These websites are operated by a wide variety ofentities that are typically called “content providers.”

[0007] A user may access the Internet using a home personal computer(PC) equipped with a conventional modem. Special interface software isinstalled within the PC so that when the user wishes to access theInternet, an attached modem is automatically instructed to dial thetelephone number associated with the local Internet host server. Theuser can then access information at any address accessible over theInternet. Two well-known software interfaces, for example, are theNetscape Navigator developed by Netscape, Inc. and the MicrosoftInternet Explorer developed by Microsoft Corporation.

[0008] Information exchanged over the Internet is typically encoded inHyperText Mark-up Language (HTML) format. The HTML format is a scriptinglanguage that is used to generate the home pages for different contentproviders. In this setting, a content provider is an individual orcompany that places information (content) on the Internet so that it canbe accessed by others. As is well known in the art, the HTML format is aset of conventions for marking different portions of a document so thateach portion appears in a distinctive format. For example, the HTMLformat identifies or “tags” portions of a document to identify differentcategories of text (e.g., the title, header, body text, etc.). When aweb browser accesses an HTML document, the web browser reads theembedded tags in the document so it appears formatted in the specifiedmanner.

[0009] The structure of the Internet as such and the easy access to itare reasons why the Internet is considered to be an “untrusted” network.In view of the amount of transactions that occur over the Internet,secured transactions are of great importance. In addition, the partiesinvolved in a transaction should be able to rely on the identity of theother party with whom personal and confidential data is exchanged.

[0010] Common methods of securing transactions andauthentizising/identifying users occur via passwords and/or accountnumbers. This authentication information is in most cases coupled withpersonal user data such as credit card number, billing address, phonenumber, etc. While transmitted over the Internet, this information isexposed to a large number of users who may fraudulently intercept theinformation.

[0011] In addition to these security concerns, a further concern is thatusers can camouflage their real identity, for example, by regularlychanging the screen name and/or their return address in an electronicmail message (email).

SUMMARY OF THE INVENTION

[0012] The present invention provides a system and a method ofidentifying computer users. In one embodiment, a communications networkincludes several computers connected to a communications medium. Aclient computer includes an identification module that provides a uniqueidentification number. In the following description, a module includes,but is not limited to, software or hardware components that performcertain tasks. Thus, a module may include object-oriented softwarecomponents, class components, methods, functions, attributes,procedures, subroutines, segments of program code, drivers, firmware,microcode, circuitry, data, data structures, tables, arrays, variables,etc. For example, the identification number can be implemented in thecomputer's central processor or in read only memory, a smart card, etc.In one embodiment, the identification number is embedded within with aprocessor.

[0013] The client computer includes a client module that generates amessage that includes the identification number and sends the messageover the communications medium. Another computer receives the messageand retrieves the identification number from the message. The computeralso updates an identification database. The processing of theidentification number and the updating of the identification database istriggered when the message is received.

[0014] An aspect of the invention involves a method of maintaining auser identification database that indicates when users are incommunication with a network. The method includes the acts ofassociating in a computer accessible storage medium, electronic mailaddresses, processor-embedded identifiers and status information. Afirst electronic message is received from a first computer. The firstelectronic message contains an electronic mail address and a copy of theprocessor-embedded identifier existing in the first computer. The firstelectronic mail address is used to access the correspondingprocessor-embedded identifier stored in the storage medium. Theprocessor-embedded identifier from the first computer is compared withthe processor-embedded identifiers of the storage medium. The statusinformation in the storage medium is modified to indicate that the firstelectronic mail address is authentic when the processor-embeddedidentifier from the first computer matches a processor-embeddedidentifier of storage medium.

[0015] Another aspect of the invention involves a method of establishinga conferencing connection. A first processor-specific identifierembedded within a first computer is received by a second computer a whenthe first computer is in communication with a communications medium. Asecond processor-specific identifier embedded within the second computeris received by the first computer when the second computer is incommunication with the communications medium. The first computerprovides an indication that the second computer is in communication withthe communications medium in responds to a request from the firstcomputer to initiate a conferencing connection with the second computer.

[0016] A further aspect of the invention involves a method ofidentifying computer users by using processor-specific identifiers. Themethod includes the acts of receiving a first processor-specificidentifier that is embedded within a computer processor, accessing adatabase that associates processor-specific identifiers with informationabout users of computer processors; and obtaining the information of acomputer processor user that corresponds to the first processor-specificidentifier.

[0017] Another aspect of the invention involves a method of identifyingusers by using manufacturer-embedded identifiers. The method includesthe acts of associating a database of manufacturer-embedded identifierswith information about users, wherein each manufacturer-embeddedidentifier is associated with information about a user; and using themanufacturer-embedded identifier to access the user information thatcorresponds to the manufacturer-embedded identifier.

[0018] A still further aspect of the invention involves a method ofmonitoring when a processor accesses a communications medium by using aprocessor-specific identifiers that is embedded within the processor.The method includes the acts of receiving from a first processor aprocessor-specific identifier embedded therein when the first processoris in communication with a communications medium; and updating adatabase to indicate that the first processor is in communication withthe communications medium.

[0019] A further aspect of the invention involves a computer systemincluding first and second computers. The first computer is connectableto a communications medium and comprises an identification module thatprovides a computer-specific identification number. The first computerencloses the identification number to a message for sending over thecommunications medium. The second computer is connectable to thecommunications medium to receive the message and to retrieve theidentification number from the message. The second computer comprises adatabase configured to process the identification number of the firstcomputer to identify the first computer.

[0020] A further aspect of the invention involves a communicationsnetwork that includes first and second computers and a server computer.The first computer is connectable to a communications medium andcomprises a first identification module that provides a firstidentification number. The first computer generates a first messageincluding the first identification number for sending over thecommunications medium. The second computer is connectable to thecommunications medium. The computer server is connectable to thecommunications medium and comprises an identification database. Thecomputer server receives the first message and retrieves the firstidentification number from the first message. The computer serverfurther processes the first identification and to update theidentification database.

[0021] An additional aspect of the invention involves a computer thatincludes a communications module configured to receive and sendelectronic messages; and a database. The database stores electronicmessage addresses and corresponding processor-specific identifiers. Thedatabase is configured to be updated through a first electronic messagecontaining a first electronic message address and a firstprocessor-specific identifier.

[0022] For purposes of summarizing the invention, certain aspects,advantages and novel features of the invention have been describedherein. Of course, it is to be understood that not necessarily all suchadvantages may be achieved in accordance with any particular embodimentof the invention. Thus, the invention may be embodied or carried out ina manner that achieves or optimizes one advantage or group of advantagesas taught herein without necessarily achieving other advantages as maybe taught or suggested herein.

BRIEF DESCRIPTION OF THE DRAWINGS

[0023] These and other features and advantages of the invention becomemore apparent upon reading the following detailed description and uponreference to the accompanying drawings:

[0024]FIG. 1 shows a block diagram of one embodiment of a computernetwork.

[0025]FIG. 2 shows a block diagram of a further embodiment of a computernetwork.

[0026]FIG. 3 shows an embodiment of a database structure.

[0027]FIG. 4 shows a flow chart of a registration procedure.

[0028]FIG. 5 shows a block diagram of a multiple user computer network.

[0029]FIG. 6 shows a flow chart of a look-up procedure.

[0030]FIG. 7 shows a block diagram of further embodiment of a computernetwork.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

[0031]FIG. 1 shows a block diagram of one embodiment of a computernetwork. The computer network includes two computers 2, 4 thatcommunicate with each other by use of a communications medium 6. In oneembodiment, each computer 2, 4 is in the domain of a different user. Thecommunications medium 6 can be, for example, an individual coaxial cableor an individual telephone line, however, a wide range of communicationsmedia can be used. For instance, the communications medium 6 can be partof a telephone network, a cable television network, a wireless datatransmission system, a customized computer network, and the liketypically used in the field of data communications.

[0032] Both computers 2, 4 can be conventional computers each running anappropriate operating system such as, but not limited to, MicrosoftWindows 3.1, Microsoft Windows 95 or Windows 98, Microsoft Windows NT,the Apple MacOS, UNIX, LINUX, or the like. As is conventional, thecomputers 2, 4 have appropriate hardware such as microprocessors, memorydevices and communications devices. The microprocessors are in oneembodiment Pentium III processors available from Intel Corporation. Thecommunications devices are typically modems or network interface devicesthat handle incoming and outgoing message traffic passed over thecommunication medium 6.

[0033] The computer 2 includes an identification module 8 that providesa unique identification number or serial number for the microprocessor.In one embodiment, the identification module 8 is implemented within themicroprocessor. The identification number, hereinafter referred to asthe ID number, is permanently stored within the microprocessor and,thus, secured against unauthorized manipulation.

[0034] In another embodiment, the identification module 8 can beembedded in a separate hardware or software component. The componentsare closely associated with the microprocessor within the computer 2 sothat the microprocessor can read the ID number from the components. Forinstance, the component can be implemented on an add-on board that theuser can plug into the computer 2 to up-grade the computer 2. Generally,however, the component can be implemented with a hard disk, a ROM, anon-volatile memory, a smart card, a diskette, a compact disk, and anelectrically erasable programmable ROM (EEPROM). The smart card storesan ID number that is unique for a specific user. The user can then usedifferent computers and always have the same ID number.

[0035] As described below in greater detail, the computer 4 includes adatabase 7 that is stored in a computer accessible storage medium. Thedatabase 7 stores the ID number of the computer 2. The ID number can beinput through the user of the computer 4, or through a registrationprocedure when the computer 2 communicates with the computer 4. Forexample, a computer manufacturer can input the ID numbers of all soldcomputers 2 into the database 7, for example, for purposes of futurecustomer service. In the embodiments described hereinafter, however, thedatabase stores and registers the computer 2 connected to the computer 4through the registration procedure.

[0036] Although the computer 4 is connected to the computer 2, it iscontemplated that the database 4 is configured to register any computerthat communicates with the computer 4 and includes an identificationmodule 8. As soon as the computer 2, or any additional computer, isregistered, the computer 4 can identify and authorize the computer 2during subsequent communications.

[0037] Further, the computer 2 can include an optional encoding module10. The encoding module 10 can encrypt, encode, hash or scramble the IDnumber so that the ID number cannot be directly accessed. Furthermore,the same ID number can be encoded, hashed or scrambled in differentmanners with different client modules.

[0038] Besides the hardware components illustrated in FIG. 1, it iscontemplated that each computer 2, 4 has appropriate application andcommunications software modules. The software modules include, forexample, Internet access software, cable modem software, two-waycommunications software, point-to-point software, the hasher software,software to retrieve and process the ID number from the identificationmodule 8, and the like.

[0039] The communications modules, for example, allows communicationsbetween the computers 2, 4 in accordance with preferable standardizedcommunications protocols. In one typical application, the communicationsprotocols support the exchange of emails. These communications protocolsinclude a Transmission Control Protocol/Internet Protocol (TCP/IP), aSimple Mail Transfer Protocol (SMTP), a File Transfer protocol (FTP), aHypertext Transfer Protocol (HTTP) and a Lightweight Directory AccessProtocol (LDAP).

[0040] The TCP/IP is a protocol that specifies how computers exchangedata over the Internet. The TCP/IP handles tasks such as packetization,packet addressing. handshaking and error correction. The SMTP is used totransfer email between computers. Generally, the SMTP is aserver-to-server protocol, so other protocols are used to access themessages. The SMTP dialog usually happens in the background under thecontrol of a message transport system. The FTP is a client-serverprotocol that allows a user on one computer to transfer files to andfrom another computer over a TCP/IP network. The HTTP is a client-serverTCP/IP protocol used on the World-Wide Web for the exchange of HTMLdocuments. The LDAP is a relatively simple protocol for updating andsearching directories running over TCP/IP, as described below in greaterdetail.

[0041] In addition, the communications modules can support H.323, thestandard for conferencing over the Internet and within intranets, H.245,the control standard for multimedia communications as well as a widevariety of communication standards such as H.261, H.263 and the like.Furthermore, the communication modules can support a wide range ofnetworking standards such as Ethernet, frame relay, integrated digitalservices network (ISDN), ISDN digital subscriber network, T1 carriersystem, E1, E2, E3, E4 and E5 carriers, digital subscriber lines, cablenetworking protocols, fiber-distributed-data interface, synchronousdigital hierarchy, and the like.

[0042] Computers can communicate with each other, for example, over theInternet, because each computer can be addressed individually. In suchembodiments, certain computers have an assigned Internet protocoladdress (IP address). The IP address is a 32-bit host address that isusually represented in dotted decimal notation, for example,128.121.4.5. The decimal IP address is in most cases not known to theuser. In addition, most users are not aware that this IP address exists.In addition, in many embodiments, a computer user has an assigned emailaddress that specifies the source or destination of the message. Theemail address is typically in the form of “name@xyz.com”, for example,as known in the art.

[0043] In accordance with one embodiment of the present invention, theID number serves to address, identify and authorize computers. Asmentioned above, the ID number is unique to a computer and cannot bealtered. This provides a higher degree of reliability and security,because the IP address and the email address can be altered. Forinstance, some users alter the email address or the address field tocamouflage the return address and, thus, their real identity.

[0044] Returning to the embodiment illustrated in FIG. 1. The user ofthe computer 2 writes an email to be sent to the user of the computer 4.When the email is composed and the user initiates transmission to thecomputer 4 over the communications medium 6, the communications software(e.g., SMTP) automatically converts the email into an appropriateelectronic data format. Besides the actual email message, the returnemail address and the return IP address, the data format includes, inaccordance with the present invention, the microprocessor-specific IDnumber.

[0045] The computer 4 receives the electronic representation of theemail and converts it back to a user-readable message. During theprocess of converting, the computer 4 extracts the received ID numberand compares (looks-up) it with the ID number(s) stored in the data base7. When the received ID number matches one of the stored ID numbers, thecomputer 4 accepts the email as one received from an authorizedcomputer.

[0046] The look-up of the ID number is generally triggered by an event.That is, when the computer 4 receives the email message, the look-upprocedure starts. It is contemplated that the user of the computer 4 candefine the specifics of the event-triggered look-up. For instance, theuser can define if a notification of the requested look-up shall occuror if a recording or display of the look-up is desired.

[0047] The user of the computer 4 can define how emails from computerswhose ID numbers are not stored in the database need to be treated.Depending on user-specified settings of the computer 4, emails fromunauthorized/unidentified computers can be, for example, blocked orrejected. For instance, the user can create a contact list in which allauthorized users are listed. If the received ID number does not match tothe ID number stored for an authorized user from the contact list, theemail will be rejected.

[0048] These settings, for example, prevent the user from receivingundesired emails from individuals who frequently change their emailaddress or camouflage the return address. These undesired emails cannotbe blocked by conventional filters which can be defined in emailapplications because the filters are typically only sensitive to thefield “From:” for the return address.

[0049] In addition, the settings prevent the user from receivingunsolicited emails from Internet marketing companies or so-called“spammers.” A “spammer” is an individual user or a service which postirrelevant or inappropriate messages to one or more users, send largeamounts of unsolicited emails meant to promote a product or service, orintend to crash a program by overrunning a fixed-size buffer withexcessively large input data.

[0050] Moreover, the computer 4 cannot only block or reject emails fromunauthorized users, but also identify if the return email address thatappears in the field “From:” is indeed the real email address. Forexample, the sender of the email could pretend to be an authorized userby changing the email address to one the sender believes the computer 4accepts. However, because the ID number is included to the receivedemail, the false identity of the sender of the email can be recognized.

[0051] Sending an e-mail from one user to another user is only oneexample of how the users can communicate with each other. Generally, theusers of the computers 2, 4 can establish conferencing connections tocommunicate with each other. The conferencing connections can includevideo conferences, voice (audio) connections, chat connections, and dataconnections. It is contemplated that the various types of conferencingconnections can be combined so that, for example, a data connection isparallel to a voice connection.

[0052]FIG. 2 shows a block diagram of a further embodiment of a computernetwork. The illustrated computer network includes (personal) computers20, 22 and a server 26 which have access to the Internet, generallylabeled with reference numeral 24. The server 26 and the computers 20,22 are usually located at different remote locations. Individual usersoperate the computers 20, 22 that are similar to the computer 2 shown inFIG. 1 and described above. In one embodiment, the computers 20, 22include client software modules 28, 30 (“client modules”), anapplication programming interface (API) modules 29, 31, andidentification modules 33, 35. The modules are illustrated as individualmodules within the computers 20, 22. However, those skilled in the artwill appreciate that each of the modules are optional and can bedistributed within the computers 20, 22 and perform various functions asdescribed below.

[0053] The server 26 and the computers 20, 22 can connect to theInternet 24 by use of communications links 34, 36, 38, respectively. Itis contemplated that a plurality of servers 26 and computers 20, 22 canconnect to and access the Internet 24.

[0054] In the illustrated embodiment, the Internet 24 and thecommunications links 34, 36, 38 form the communications medium for theserver 26 and the computers 20, 22. In addition, the communicationsmedium may also encompass Internet access/service providers. Examples ofInternet access/service providers include America Online, the MicrosoftNetwork, Prodigy, CompuServe, and Network Intensive to name a few. Manyusers pay monthly access fees to the Internet access/service providersbecause the Internet providers provide local telephone connections, avariety of services and an organized format for accessing the Internet24.

[0055] The Internet access/service providers are optional, and in somecases, the computers 20, 22 may have direct access to the Internet 24.For example, the computers 20, 22 may be connected to a local areanetwork that in turn is directly connected to the Internet 24. It shouldbe understood that the local area network may also connect to theInternet 24 via a conventional telephone line; however, since local areanetworks typically have a higher volume of data traffic, it isadvantageous to include a high-speed connection to support the volume ofthe information which the local area network will transfer to and fromthe Internet 24.

[0056] In one embodiment, the client modules 28, 30 interact with theAPI modules 29, 31. The client modules 28, 30 accesses the operatingsystem and other services of the computer 20, 22 through the API modules29, 31. The APT modules 29, 31 are defined at source code level andprovide a level of abstraction between the client module and otheraspects of the computer system. In other embodiments, the client modules28, 30 directly interact with the operating system or hardwarecomponents.

[0057] The API module 29, 31 can also provide an interface between ahigh level language and lower level utilities and services which werewritten without consideration for the calling conventions supported bycompiled languages. In this case, the API module's 29, 31 main task maybe the translation of parameter lists from one format to another and theinterpretation of call-by-value and call-by-reference arguments in oneor both directions.

[0058] For instance, the API modules 29, 31 receive requests “Get: IDnumber” from the client modules 28, 30 and retrieve the ID numbers fromthe identification modules 33, 35 (processors) of the computers 20, 22,respectively. Then, the API modules 29, 31 forward the retrieved IDnumber to the client modules 20, 22 where the ID numbers are availablefor further processing within the computers 20, 22. The furtherprocessing includes, for example, creating a hashed or encoded versionof the actual ID number.

[0059] Associated with the client modules 28, 30 and the API modules areso-called Software Development Kits (SDK). An SDK is generally thesoftware module provided by a software vendor to allow their products tobe used with those of other software vendors. In one client application,the SDK module directs the API module to retrieve the ID number. The SDKmodules and the client modules 28, 30 allow the users to perform variousapplications such as look-ups in database and sales transactions asdescribed below in greater detail. For example, the SDK modules registerthe computers 20, 22 with the server 26, and contact the server 26 whenthe computers 20, 22 access the Internet 24.

[0060] In one embodiment, the server 26 includes an identificationdatabase 32, which stores the ID numbers of the computers 20, 22 thatare registered with the server 26. The server 26 is a computer thatprovides services for the computers 20, 22 and other computers connectedto it via the Internet 24. As a general function, the server 26 servicesrequests from the remote computers 20, 22 (clients) to read from andwrite to the identification database 32. The server 26 is also referredto as the “directory server.”

[0061] The server 26 allows access to the identification database 32 bymeans of a database query language. With this language, users can(interactively) formulate requests and generate reports. A known exampleof a database query language is structured query language (SQL).

[0062] SQL is an industry-standard language for creating, updating andquerying relational database management systems. In some applications,SQL is embedded in general purpose programming languages. SQL providesfor a variety of functions to organize databases. To name a fewfunctions: define and manipulate tables of data, generalize andspecialize hierarchies, multiple inheritance, user defined data types,triggers and assertions, support for knowledge based systems, recursivequery expressions, and additional data administration tools. SQL alsoincludes the specification of abstract data types (ADTs), objectidentifiers, methods, inheritance, polymorphism, encapsulation, and allof the other facilities normally associated with object data management.

[0063] The server 26 and the computers 20, 22 use a common protocol, forexample, TCP/IP, to encode the requests from the computers 20, 22 andthe responses of the server 26. The server 26 may run continuously (as adaemon), waiting for requests to arrive or it may be invoked by somehigher level daemon which controls a number of specific servers.Examples of servers that are associated with the Internet 24 includethose for Network File System, Network Information Service (NIS), DomainName System (DNS), FTP, and Network Time Protocol.

[0064] In one embodiment, the server 26 is further configured to operateas a server in accordance with the Lightweight Directory Access Protocol(LDAP) in addition to TCP/IP. In another embodiment, the server 26 canbe configured to operate in accordance with Recommendation H.225.0defined by the International Telecommunication Union (ITU). TheRecommendation is entitled “Call signaling protocols and media streampacketization for packet-based multimedia communication systems.”

[0065] Referring to the server 26 applying LDAP, an entry into a LDAPdirectory is defined as a collection of attributes with a name, called adistinguished name (DN). The DN refers to the entry unambiguously. Eachof the entry's attributes has a type and one or more values. The typesare typically mnemonic strings, like “cn” for common name, or “mail” fore-mail address. The values depend on the type.

[0066] Generally, LDAP directory entries are arranged in a hierarchicalstructure that reflects political, geographic, and/or organizationalboundaries. Entries representing countries appear at the top of the treewhile other entries in the tree represent states or nationalorganizations. Below them, there may be entries representing people,organizational units, printers, documents, or the like.

[0067] As mentioned above, the server 26 is referred to a directoryserver. An example of a directory server is a Netscape Directory Serveravailable from Netscape, Inc. The Netscape Directory Serverconnects/hooks in one embodiment into Oracle8, a software moduleavailable from Oracle Inc. Briefly, Oracle8 includes a server softwaremodule configured for database applications, for example, onlinetransaction processing (OLTP). The directory server implements anetwork-based registry, enabling applications to share data such asusers, groups, and preferences. The server supports millions of entriesand fast searches, for example, hundreds of queries per second.

[0068]FIG. 3 shows an exemplary data format as used in theidentification database 32. The identification database 32 includesseveral fields 32A-32F of predetermined sizes. Each field 32A-32Fincludes an attribute. In the illustrated embodiment, the ID number isassigned to the field 32A which has a size of 44 bits. The user name andthe email address are assigned to the fields 32B, 32D, respectively. Thefield 32B has a size of 128 bits and the field 32D has a size of 256bits. The field 32C includes an attribute “activity status” and thefield 32E includes an attribute “authentication statues.” The field 32Fincludes an attribute “ISP” defining the Internet service provider. Itis contemplated that the identification database 32 can includeadditional fields, such as for the IP address, geographical data andother user information.

[0069] In one embodiment, only the email address and the ID number areindexed. As is known in the art, an index is a sequence of (key pointer)pairs where each pointer points to a record in the database thatcontains the key value in a particular field. The index is sorted on thekey values to allow rapid searching for a particular key value. In oneembodiment, the index can be “inverted” in the sense that the key valueis used to find the record rather than the other way round. Fordatabases in which the records may be searched based on more than onefield, multiple indices may be created that are sorted on those keys.

[0070] When the client applications of the computers 20, 22 connect tothe Internet 24, each computer 20, 22 has the option to register withthe server 26. The registration of the computers 20, 22 is illustratedin FIG. 4 which shows a flow chart of one embodiment of a registrationprocedure.

[0071] The client module 28 prompts the user to input the email address.The user inputs the email address under which the user can receiveemails. During a subroutine in state 202, the client module 28 retrievesthe ID number from the processor and prepares a message to be sent tothe server 26. The client module 28 includes as a default setting, theIP address of the server 26. In addition, the client module 28 may havea list of additional appropriate servers connected to the Internet 24.

[0072] Proceeding to state 204, the computer 20 waits, if not yetconnected, until the user establishes a connection to the Internet 24,for example, by dialing the number of a Internet service provider. Asindicated in state 206, the procedure returns along the NO branch tostate 204 as long as the computer 20 waits for a connection to theInternet 24.

[0073] Upon connection to the Internet service provider, the procedureproceeds along the YES branch to state 208. In state 208, the clientmodule 28 (e.g., via SMTP) initiates that the prepared message is sentto the server 26. The message includes the ID number, the user's emailaddress and the IP address. It is contemplated that additionalinformation can be added depending on the data format used, as describedbelow with reference to FIG. 5.

[0074] Proceeding to state 210, the server 26 records and organizes theinformation received with the message within the identification database32. When this registration procedure is finished, the computer 20 isregistered and the server 26 is ready for look-up, as indicated in state212 and the procedure ends in state 214. The registration procedureregisters the computer 20 with the server 26 for future verification byretrieving the ID number from the computer 20 and sending it to theserver 26. At the end of the registration procedure, the ID number isstored in the server 26.

[0075] Under certain circumstances, for example, to provide forincreased security against unautorized access, the ID number can bemodified within the computer 20. The computer 20 uses conventionalauthentication software which applies a hash function to the ID number.One example of such an authentication software is iGuard that usesiGuard Secured Agents. The iGuard software is available from RainbowTechnologies, Inc.

[0076] In one embodiment, the computer 20 applies a hash function to theID number to convert it to a first hashed ID number. In one embodiment,first hashed ID number uses the ID number and a server-specific serveridentifier. The server 26 then stores the first hashed ID number.

[0077] Once the computer 20 is registered, the server 26 canauthenticate the computer 20 during a connection. In one embodiment, theserver 26 generates and sends a first random number to the computer 20and requests a return message. In certain embodiments, the random numberis called a session number. In addition, the server 26 sends a specifickey to the computer 20. The specific key provides that a distinctauthentication code is included in the return message from the computer20.

[0078] The computer 20 applies the hash function to the first hashednumber, the session number, the specific key, and a second random numberto convert these numbers to a second hashed ID number. That is, thesecond hashed ID number is a function of the hashed number, the sessionnumber, the specific key and the second random number. The computer 20generates the second random number so that the authentication code wouldbe different even if the session number were a fixed value.

[0079] The server 26 receives the second hashed ID number and extractsthe first hashed ID number. The server 26 retrieves the stored firsthashed ID number and compares it with the extracted first hashed IDnumber. If the hashed ID numbers match, the computer 20 isauthenticated.

[0080] The user of the computer 22 can register with the server 26 inthe same way as the user of the computer 20. The identification database32 includes then the unique ID numbers of the computers 20, 22. If bothcomputers 20, 22 apply hash functions to their ID numbers, the server 26stores two first hashed ID numbers during the registration procedure. Asthe their ID numbers are different, the computers 20, 22 generatedifferent first hashed ID numbers.

[0081] In one example, the users of the computers 20, 22 have bothregistered with the server 26 through the procedure illustrated in FIG.4. In addition, the computers 20, 22 defined contact lists so that thecomputers 20, 22 accept only emails from authorized computers.

[0082]FIG. 6 is a flow chart illustrating a procedure for establishingan authenticated communication between the users of the computers 20,22. The procedure is initialized in state 300. For illustrativepurposes, the registration procedure shown FIG. 4 is represented instate 302 to indicate that a registration is optional before theauthenticating procedure can be successful. In addition, as soon as thecomputers 20, 22 are online, the computers 20, 22 are registered as“active” within the server 26. This registration as “active” is in thisembodiment considered as being part of the state 302.

[0083] For example, when the computer 20 is online, the server 26receives an automatic message from the computer 20 and compares thecontent of the identification database 32 with the ID number receivedwith the message. The server 26 registers the computer 20 as active whenits ID number matches an ID number stored in the identification database32. In the same manner, the computer 22 is registered as “active” assoon as it is online.

[0084] In one embodiment, the registration as “active” can be used tonotify the contacts of the contact list, that the computer 20 is online.For instance, as soon as the computer 20 is online, the computer 22receives a message and displays the active state of the computer 20through a highlighted contact name, an icon, or the like.

[0085] Proceeding to state 304, the user of the computer 20, or anyother registered computer, can request a lookup of an email address fromthe server 26. Here, the user requests a look-up of the email address ofthe user of the computer 22. The user of the computer 20 prepares amessage (email) to the server requesting the look-up of the emailaddress included in the message. The message is sent over the Internet24 to the server 26.

[0086] Proceeding to state 306, the server 26 receives the message fromthe Internet 24 and initiates processing the message. The processingincludes starting a module to look-up the email address in theidentification database 32. The subroutine uses known methods to accessand retrieve data from a database. The subroutine extracts the look-upemail from the received message and checks if the identificationdatabase 32 includes a matching entry.

[0087] Proceeding to state 308, the server 26 generates a second messagethat is a response to the first message received from the computer 20.If the look-up did not result in a matching address, the second messageinforms the user of the computer 20 that no matching entry has beenfound. If, however, the look-up was successful, the second messageincludes an authenticated email address, authenticated because the emailaddress is correlated to the unique ID number. In addition, the secondmessage can include data indicating, for example, if the computer 22 iscurrently registered as active, i.e., if the user of the computer 22 isonline at the moment.

[0088] Proceeding to state 310, the computer 20 receives the secondmessage and extracts the authenticated email address of the computer 22.As in a conventional mail application, the user of the computer 20 canread the email upon receipt or at a later time.

[0089] Proceeding to state 312, the user of the computer 20 can directlycommunicate with the user of the computer 22 using the authentic emailaddress. To communicate, the user of the computer 20 has severaloptions. The user can send an email to the user of the computer 22 thatwill be recognized as coming from a known contact. Alternatively, theuser can connect directly to the computer 22 to initiate an onlineconferencing connection, such as a chat connection, a video conference,or a voice connection, if the user of the computer 22 is currentlyonline or available. The procedure ends at state 314.

[0090] The described look-up via email address is typically the only wayfor users to find one another. This makes the system a closed system andattractive to users who do not want their information published. Inparticular, the system provides improved security and confidentialityfor transactions that involve financial or personal data.

[0091]FIG. 5 shows a further block diagram of a computer network. In theillustrated embodiment, the computer network comprises three computers40, 42, 44, the server 26 and two service computers 46, 48 which are inthe domain of two different Internet service providers. It iscontemplated that a service computer can generally be interconnectedwithin the Internet 24 and become part of the Internet 24. This isindicated through a service computer 49, located within the Internet 24and shown with dashed lines for illustrative purposes. The Internetservice providers are indicated in FIG. 5 as ISP-1 and ISP-2.

[0092] The server 26, the computers 40, 42, 44 and the service computers46, 48 are connected to the Internet 24. The computers 40, 42, 44 areconnected to the Internet 24 via communication links 62, 64, 66,respectively, and the server 26 is connected to the Internet 24 via acommunications link 72. The service computers 46, 48 are connected tothe Internet 24 via communications links 68, 70, respectively. Inaddition, the computer 44 has a direct communications link 60 to theservice computer 48 of the ISP2.

[0093] The computers 40, 42, 44 include client modules 50, 52, 54,respectively, and are assigned to different users, indicated as USER-1,USER-2, USER-3. It is contemplated that the computers 40, 42, 44 aresimilar to the computers 20, 22 shown in FIG. 2 and described above, andthat the client modules 50, 52, 54 perform similar functions as theclient modules 28, 30 also shown in FIG. 2 and described above.

[0094] The server 26 includes a directory module 74 and theidentification database 32. In the illustrated embodiment, theidentification database 32 includes a general database 56 and a database58 for storing the information of active users, i.e., users which arecurrently online. The server 26 can access and modify the identificationdatabase 32 in response to a request of a Internet service provider or aclient, for example, from one of the computers 40, 42, 44.

[0095] In the illustrated embodiment, the users USER-1, USER-2, USER-3want to access the Internet 24 and the Internet service providers ISP-1,ISP-2 and perform secured transactions. For this example, it is assumedthat the ID numbers of the computers 40, 48 are stored in theidentification database 32.

[0096] As soon as the user USER-1 is online, the client module 50 API(SDK) automatically sends a message to the server 26, as indicatedthrough a connection line L1. The message includes the ID number. Themessage may also include, but is not limited to, the IP address andemail address as described above. The directory module 74 receives andprocesses the message and initiates an update of the identificationdatabase 32. The user USER-1 is then stored as an active user.

[0097] If the user USER-1 wants to communicate with the Internet serviceprovider ISP-1, the user USER-1 requests a look-up of the email addressof the Internet service provider ISP-1. The server 26 executes thislook-up request and generates a response if the requested email addressmatches one of the stored and authenticated email addresses. Thegenerated response includes the IP address of the Internet serviceprovider ISP-1. The response sent to the user USER-1 is indicatedthrough a connection line L2. Using the IP address, the user USER-I canthen directly connect to the Internet service provider ISP-1.

[0098] Similarly, the client modules 52, 54 of users USER-2, USER-3register as active users when accessing the Internet 24. Regarding theuser USER-2, the register and look-up procedure is indicated throughconnection lines L3, L4, and regarding the user USER-3, the register andlook-up procedure is indicated through connection lines L5, L6.

[0099] If the user USER-2 requests a look-up of the email address of theuser USER-3, the response includes the IP address of the computer 44 ofthe user USER-3. The user USER-2 can then directly connect to the userUSER-3 to send an email, to chat, to have a video conference, or thelike. The connection between the computers 42, 44 is indicated asconnection line L8.

[0100] It is contemplated that the user USER-2 can look-up a variety ofemail addresses. A general connection with a computer connected to theInternet 24 is indicated through a connection line L9. Correspondingly,the user USER-3 can connect to the Internet service provider ISP-2 viathe Internet 24, as indicated through a connection line L 10.Alternatively, the computer 22 and the service computer can be connectedthrough the communications link 60, as described above.

[0101]FIG. 4 shows a further block diagram of a computer network. In theillustrated embodiment, the computer network comprises a client computer84, the server 26 and a web computer 80. The web computer 80 can be inthe domain of an Internet service provider and provides for a website,for example, for an Internet shop. The web computer 80 includes asoftware module 82 running interactive purchase software. As in theprevious drawing, it is contemplated that the web computer 80 cangenerally be interconnected within the Internet 24 and become part ofthe Internet 24.

[0102] The server 26 and the computers 80, 84 are connected to theInternet 24 which provides for the communications medium. The clientcomputer 84, is connected to the Internet 24 via a communication link88, and the server 26 is connected to the Internet 24 via acommunications link 90. The web computer 80 is connected to the Internet24 via a communication link 86.

[0103] The client computer 84 includes the client module 28 and isassigned to a user interested in purchasing products over the Internet.Similar to the previous drawings (FIG. 1), the client computer 84includes the identification module 8. It is contemplated that thecomputers 80, 84 are generally similar to the computers 40-48 shown inFIG. 2 and described above, and that the client module 28 performssimilar functions as the client modules 28, 30, also shown in FIG. 2 anddescribed above.

[0104]FIG. 4 illustrates an example for electronic commerce in which theInternet shop (web computer 80) offers goods and services over theInternet 24 and the user of the client computer 84 intends to ordergoods from the Internet shop.

[0105] In this example, the web computer 80 and the client computer 84have registered with the server 26 according to the registrationprocedure illustrated in FIG. 4. Using a communications link C1, theuser of the client computer 84 requests a look-up of the email addressof the Internet shop. The server 26 performs the lookup in its database92 and returns an authenticated email address if the look-up emailaddress matches to an entry correlated to the ID number in the database92.

[0106] The user of the client computer 84 can then establish a directcommunications link C2 with the web computer 80 using the authenticatedemail address. This assures the user of the client computer 84 that thecommunication occurs directly with the Internet shop when the userplaces an order with the Internet shop. In some cases, the Internet shoprequires that the order include consumer-specific data such as name,address and the number of the credit card.

[0107] Before the Internet shop confirms the order via a communicationslink C3, the Internet shop can request a look-up of the client's emailaddress to ensure that the data of the order is correct. The look-uprequest and the resulting response occur via communications links C4,C5, respectively.

[0108] As described above, the ID numbers are unique within theidentification database 32 as well as within the Internet 24. Incontrast, user names and email addresses, for example, can appear morethan once within continuously growing global Internet. Because of this,there may be two users that claim to have the same email address. Ifsuch a collision occurs on a lookup, both users will be returned fromthe query. The identification database 32 permits users to look up otherusers only by email address and not by the ID number. However, the indexto the ID number is there, because the contact list may need to look upa specific ID number.

[0109] While certain preferred embodiments of the invention have beendescribed, these embodiments have been presented by way of example only,and are not intended to limit the scope of the present invention.Accordingly, the breadth and scope of the present invention should bedefined only in accordance with the following claims and theirequivalents.

What is claimed is:
 1. A method of maintaining a user identificationdatabase that indicates when users are in communication with a network,the method comprising the acts of: associating in a computer accessiblestorage medium electronic mail addresses, processor-embedded identifiersand status information; receiving a first electronic message from afirst computer, the first electronic message containing an electronicmail address and a copy of the processor-embedded identifier existing inthe first computer; using the first electronic mail address to accessthe corresponding processor-embedded identifier stored in the storagemedium; comparing the processor-embedded identifier from the firstcomputer with the processor-embedded identifiers of the storage medium;and modifying the status information in the storage medium to indicatethat the first electronic mail address is authentic when theprocessor-embedded identifier from the first computer matches aprocessor-embedded identifier of storage medium.
 2. The method of claim1, further comprising the acts of: receiving a second electronic messagefrom a second computer, the second electronic message requestingauthentication of the first electronic mail address; comparing the firstelectronic mail address with the electronic mail addresses stored in thestorage medium; sending a third message to the second computer thatindicates whether the first electronic mail address is authentic.
 3. Themethod of claim 2, further comprising the acts of: obtaining the statusinformation that corresponds to the first electronic mail address; andincluding the status information to the third message.
 4. The method ofclaim 2, further comprising the act of using the authenticated firstelectronic mail address to establish a communications link between thefirst and second computers.
 5. The method of claim 1, wherein the act ofmodifying the status information includes indicating the first computeras active.
 6. The method of claim 2, wherein the act of receiving thesecond electronic mail includes indicating the second computer as activein the storage medium.
 7. The method of claim 1, wherein the act ofassociating electronic mail addresses includes registering the first andsecond computers in a computer accessible database.
 8. The method ofclaim 7, wherein the act of registering includes storing eachprocessor-embedded identifier in the database together with theelectronic mail address of the registering computer.
 9. The method ofclaim 1, further comprising the act of altering the processor-embeddedidentifier in the first computer.
 10. The method of claim 9, wherein theact of altering includes encoding the processor-embedded identifier. 11.The method of claim 9, wherein the act of altering includes hashing theprocessor-embedded identifier.
 12. The method of claim 1, furthercomprising the act of using the communications link to initiate sendingan order from the first computer to the second computer as part of asales transaction.
 13. A method of establishing a conferencingconnection comprising the acts of: receiving a first processor-specificidentifier embedded within a first computer when the first computer isin communication with a communications medium; receiving a secondprocessor-specific identifier embedded within a second computer when thesecond computer is in communication with the communications medium; andproviding to the first computer indication that the second computer isin communication with the communications medium in response to a requestfrom the first computer to initiate a conferencing connection with thesecond computer.
 14. The method of claim 13, further comprising the actof maintaining a contact list in the first computer, the contact listindicating a status of the second computer.
 15. The method of claim 14,wherein the contact list indicates the status of the second computer asactive when the second computer is in communication with thecommunications medium.
 16. The method of claim 13, wherein theconferencing connection is selected from a group including a videoconference, an electronic mail connection, a chat connection, a dataconnection, and a voice connection.
 17. The method of claim 13, furthercomprising the act of sending a connect request from the first computerto the second computer.
 18. The method of claim 17, wherein the requestincludes an electronic mail address of the second computer.
 19. Themethod of claim 13, wherein the act of providing includes comparing theelectronic mail address with computer specific data stored in anidentification database.
 20. The method of claim 13, wherein the acts ofreceiving include registering the first and second computers as activein the identification database.
 21. A method of identifying computerusers by using processor-specific identifiers, the method comprising theacts of: receiving a first processor-specific identifier that isembedded within a computer processor; accessing a database thatassociates processor-specific identifiers with information about usersof computer processors; and obtaining the information of a computerprocessor user that corresponds to the first processor-specificidentifier.
 22. The method of claim 21, wherein the act of receivingincludes receiving an altered processor-specific identifier.
 23. Themethod of claim 22, wherein the processor-specific identifier is alteredthrough encoding.
 24. The method of claim 22, wherein theprocessor-specific identifier is altered through hashing.
 25. A methodof identifying users by using manufacturer-embedded identifiers, themethod comprising the acts of: associating a database ofmanufacturer-embedded identifiers with information about users, whereineach manufacturer-embedded identifier is associated with informationabout a user; and using the manufacturer-embedded identifier to accessthe user information that corresponds to the manufacturer-embeddedidentifier.
 26. The method of claim 25, wherein the database furtherincludes electronic mail addresses, user names and billing data.
 27. Themethod of claim 25, further comprising the acts of: receiving a firstmanufacturer-embedded identifier of a first computer when the firstcomputer is in communication with a communications medium; receiving asecond manufacturer-embedded identifier of a second computer when thesecond computer is in communication with the communications medium; andproviding to the first computer indication that the second computer isauthentic in responds to a request from the first computer toauthenticate the second computer.
 28. A method of monitoring when aprocessor accesses a communications medium by using a processor-specificidentifier that is embedded within the processor, the method comprisingthe acts of: receiving from a first processor a processor-specificidentifier embedded therein when the first processor is in communicationwith a communications medium; and updating a database to indicate thatthe first processor is in communication with the communications medium.29. The method of claim 28, wherein the act of updating includesregistering the first processor as active.
 30. The method of claim 29,wherein the act of registering includes transferring theprocessor-specific identifier to an active user database.
 31. A methodof identifying a computer user comprising the act of associating userinformation with a processor-embedded identifier.
 32. A computer system,comprising: a first computer connectable to a communications medium andcomprising an identification module which provides a computer-specificidentification number, the first computer configured to enclose theidentification number to a message for sending over the communicationsmedium; and a second computer connectable to the communications mediumto receive the message and to retrieve the identification number fromthe message, the second computer comprising a database configured toprocess the identification number of the first computer to identify thefirst computer.
 33. A communications network, comprising: a firstcomputer connectable to a communications medium and comprising a firstidentification module which provides a first identification number, thefirst computer configured to generate a first message including thefirst identification number for sending over the communications medium;a second computer connectable to the communications medium; a computerserver connectable to the communications medium and comprising anidentification database, the computer server configured to receive thefirst message and to retrieve the first identification number from thefirst message, the computer server further configured to process thefirst identification and to update the identification database.
 34. Thenetwork of claim 33, wherein the second computer comprises a secondidentification module which provides a second identification number. 35.The network of claim 34, wherein the second computer is configured togenerate a second message including the second identification number forsending over the communications medium.
 36. A computer, comprising: acommunications module configured to receive and send electronicmessages; and a database storing electronic message addresses andcorresponding processor-specific identifiers, the database configured tobe updated through a first electronic message containing a firstelectronic message address and a first processor-specific identifier.37. The computer of claim 36, wherein the database is configured togenerate a second message including an authenticated first electronicmessage address.